High Severity

Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x)

Share this post:

Multiple sub-components of IBM i ship log4j version v1.x files making them vulnerable to the issue described in the vulnerability details section. IBM Navigator for i – heritage version uses log4j v1.x and cannot be updated to log4j v2.x. Integrated Web Server (IWS) V2.6 contains unused references to log4j v1.x packages. IBM i 7.2 – Integrated Application Server (IAS) V7.1 & V8.1 and Integrated Web Server (IWS) V1.3 & V1.5 use log4j v1.x and cannot be updated to log4j v2.x. IBM i Access Client Solutions (ACS) version 1.1.8.6 and earlier included an unused log4j v1.x jar file. IBM i has addressed the applicable CVE as described in the Remediation/Fixes section.

CVE(s): CVE-2021-4104

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Navigator for i (heritage version only) IBM i 7.4, 7.3, and 7.2 (heritage version)
Integrated Web Server (IWS)

IBM i 7.4, 7.3, and 7.2 – V2.6

IBM i 7.2 – V1.3 and V1.5

Integrated Application Server (IAS) IBM i 7.2 – V7.1 and V8.1
IBM i Access Client Solutions 1.1.8.6 and earlier

 

 

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6539162
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048

More stories

Security Bulletin: Operations Dashboard is vulnerable to remote connection exploit by Go CVE-2022-30629

August 12, 2022 | High Severity

Operations Dashboard is vulnerable to remote connection exploit by Go CVE-2022-30629 with details below ...read more


Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129

August 10, 2022 | High Severity

Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129 with details below ...read more


Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics

August 10, 2022 | High Severity

IBM® DB2® is shipped as a component of IBM PureData System for Operational Analytics. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletin (CVE-2022-22389, CVE-2022-22390, CVE-2022-25313, CVE-2022-25236, CVE-2022-25235, CVE-2022-25314, CVE-2022-25315). ...read more